Thanks Amos. If I use negotiate_wrapper then I'm able to access websites using squid (yes I dont get prompt for credentials) but I get many of these messages in cache.log 2011/04/30 13:56:33| negotiate_wrapper: received type 3 NTLM token 2011/04/30 13:56:33| negotiate_wrapper: Got 'KK TlRMTVNTUAADAAAAGAAYAJoAAAAqASoBsgAAABIAEgBYAAAAGgAaAGoAAAAWABYAhAAAABAAEADcAQAAFYKI4gYBsB0AAAAP7ybJT7FBFVDqpuR1XQqVQEwAQQBMAFMARwBSAE8AVQBQAHMAeQBlAGQALgBoAHUAcwBzAGEAaQBuAGkATABBAEwAUwAtAEkAVAAtADAANgA1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOZTezFHvWzJUXf3Tk1kBg4BAQAAAAAAAC7ki+QcB8wBLHpqvSKv9yAAAAAAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0ACAAwADAAAAAAAAAAAAAAAAAwAADFSQt0HTDf8OpuYYkUMfen9wZfPrromcHVsBG/ndGpWgoAEAAAAAAAAAAAAAAAAAAAAAAACQAmAEgAVABUAFAALwAxADkAMgAuADEANgA4AC4AMQA4AC4AMgAyADUAAAAAAAAAAABuHEq3B9Rp3pJ7I5hc5aWd' from squid (length: 659). 2011/04/30 13:56:33| negotiate_wrapper: Decode 'TlRMTVNTUAADAAAAGAAYAJoAAAAqASoBsgAAABIAEgBYAAAAGgAaAGoAAAAWABYAhAAAABAAEADcAQAAFYKI4gYBsB0AAAAP7ybJT7FBFVDqpuR1XQqVQEwAQQBMAFMARwBSAE8AVQBQAHMAeQBlAGQALgBoAHUAcwBzAGEAaQBuAGkATABBAEwAUwAtAEkAVAAtADAANgA1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOZTezFHvWzJUXf3Tk1kBg4BAQAAAAAAAC7ki+QcB8wBLHpqvSKv9yAAAAAAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0ACAAwADAAAAAAAAAAAAAAAAAwAADFSQt0HTDf8OpuYYkUMfen9wZfPrromcHVsBG/ndGpWgoAEAAAAAAAAAAAAAAAAAAAAAAACQAmAEgAVABUAFAALwAxADkAMgAuADEANgA4AC4AMQA4AC4AMgAyADUAAAAAAAAAAABuHEq3B9Rp3pJ7I5hc5aWd' (decoded length: 492). 2011/04/30 13:56:33| negotiate_wrapper: received type 3 NTLM token 2011/04/30 13:56:33| negotiate_wrapper: Return 'AF = tim.panei ' 2011/04/30 13:56:33| negotiate_wrapper: Return 'AF = tim.panei ' 2011/04/30 13:56:33| negotiate_wrapper: Return 'AF = tim.panei ' 2011/04/30 13:56:39| negotiate_wrapper: Got 'YR TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid (length: 59). 2011/04/30 13:56:39| negotiate_wrapper: Decode 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded length: 40). 2011/04/30 13:56:39| negotiate_wrapper: received type 1 NTLM token 2011/04/30 13:56:39| negotiate_wrapper: Return 'TT TlRMTVNTUAACAAAAEgASADAAAAAVgonioXIqyzNaOaMAAAAAAAAAAIgAiABCAAAATABBAEwAUwBHAFIATwBVAFAAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAAAAAA== ' 2011/04/30 13:56:39| negotiate_wrapper: Got 'KK TlRMTVNTUAADAAAAGAAYAJoAAAAqASoBsgAAABIAEgBYAAAAGgAaAGoAAAAWABYAhAAAABAAEADcAQAAFYKI4gYBsB0AAAAPdhlaEke/dDcr/4RKNRk2fUwAQQBMAFMARwBSAE8AVQBQAHMAeQBlAGQALgBoAHUAcwBzAGEAaQBuAGkATABBAEwAUwAtAEkAVAAtADAANgA1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFgVcliSQLD7vvZarRF5Sr4BAQAAAAAAAMfbNugcB8wB+xR68ZbrWeIAAAAAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0ACAAwADAAAAAAAAAAAAAAAAAwAADFSQt0HTDf8OpuYYkUMfen9wZfPrromcHVsBG/ndGpWgoAEAAAAAAAAAAAAAAAAAAAAAAACQAmAEgAVABUAFAALwAxADkAMgAuADEANgA4AC4AMQA4AC4AMgAyADUAAAAAAAAAAAA5+4TAEwsbC+LD4YC+Npm2' from squid (length: 659). 2011/04/30 13:56:39| negotiate_wrapper: Decode 'TlRMTVNTUAADAAAAGAAYAJoAAAAqASoBsgAAABIAEgBYAAAAGgAaAGoAAAAWABYAhAAAABAAEADcAQAAFYKI4gYBsB0AAAAPdhlaEke/dDcr/4RKNRk2fUwAQQBMAFMARwBSAE8AVQBQAHMAeQBlAGQALgBoAHUAcwBzAGEAaQBuAGkATABBAEwAUwAtAEkAVAAtADAANgA1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFgVcliSQLD7vvZarRF5Sr4BAQAAAAAAAMfbNugcB8wB+xR68ZbrWeIAAAAAAgASAEwAQQBMAFMARwBSAE8AVQBQAAEAFgBQAFIATwBYAFkAUwBFAFIAVgBFAFIABAAaAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0AAwAyAHAAcgBvAHgAeQBzAGUAcgB2AGUAcgAuAGwAYQBsAHMAZwByAG8AdQBwAC4AYwBvAG0ACAAwADAAAAAAAAAAAAAAAAAwAADFSQt0HTDf8OpuYYkUMfen9wZfPrromcHVsBG/ndGpWgoAEAAAAAAAAAAAAAAAAAAAAAAACQAmAEgAVABUAFAALwAxADkAMgAuADEANgA4AC4AMQA4AC4AMgAyADUAAAAAAAAAAAA5+4TAEwsbC+LD4YC+Npm2' (decoded length: 492). 2011/04/30 13:56:39| negotiate_wrapper: received type 3 NTLM token 2011/04/30 13:56:39| negotiate_wrapper: Return 'AF = tim.panei Is this something of worry in long term? On 30 April 2011 13:45, Go Wow <gowows@xxxxxxxxx> wrote: > Amos, Do you know where the problem is? Should I move back to squid > 2.7, will that help? > > If I configure my squid to use ntlm auth I get so many NTLM Type 3 > token messages in cache.log. The same config works good on IE6. When I > test this with firefox 3.6+ or IE8 it keeps prompting the username. > > On 30 April 2011 13:30, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >> On 30/04/11 20:13, Go Wow wrote: >>> >>> When I run msktutil I get this line in the output. >>> >>> krb5_get_init_creds_keytab failed (Client not found in Kerberos database) >>> >>> I did kinit before issuing msktutil and it ran successfully. I can see >>> tickets when I issue klist. >>> >> >> Tickets, klist and keytabs do not matter in this case Kerberos is not >> involved. >> >>> >>> >>> On 30 April 2011 10:43, Go Wow wrote: >>>> >>>> Hi, >>>> >>>> I'm trying to configure Kerberos Authentication for squid. I'm >>>> running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the >>>> kerberos authentication guide on squid-cache and many other guides, I >>>> always end up with these logs in my cache.log. My client browser keeps >>>> prompting for username/password. Even a valid set of credentials are >>>> not accepted. >>>> >>>> 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM >>>> token >>>> 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error >>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM >>>> token' >> >> "type 1 NTLM" aka NTLM authentication protocol. >> >> The Kerberos helpers for Squid only validate type 3 (Kerberos). >> >> Markus has developed a negotiate_wrapper helepr which can split the >> Negotiate auth protocol into Negotiate/Kerberos and Negotiate/NTLM >> validation. That may be of some help, though there are bugs in the Squid end >> which prevent is working sometimes. >> >> Amos >> -- >> Please be using >> Current Stable Squid 2.7.STABLE9 or 3.1.12 >> Beta testers wanted for 3.2.0.7 and 3.1.12.1 >> >
